IBM Support

IV93261: MQ SDR CHANNEL TO ZOS WAS SIB RCVR FAILS TO START WITH TLS 1.2

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • MQ Sender channel (mqlink) to zOS WebSphere Application Server
    (WAS) Service Integration Bus (SIB) Receiver channel unable to
     start with with TLS 1.2 cipher and certificates signed with
    SHA2 signature.
    
    MQ queue manager error log shows:
     AMQ9209: channel closed
     AMQ9999: Channel ended abnormally
    
    WAS OUTPUT.txt log shows:
     SIBFAPInboundThreadPool : 0, fatal error: 80: problem
    unwrapping net record
     javax.net.ssl.SSLHandshakeException: Certificates within the
    CertificateMsg to be sent to the   client contain signatures
    which are not allowed
     %% Invalidated:  Session-1, SSL_RSA_WITH_AES_128_CBC_SHA256
     SIBFAPInboundThreadPool : 0, SEND TLSv1.2 ALERT:  fatal,
    description = internal_error
    

Local fix

  • Use certificates signed with SHA1 signature algorithm.
    

Problem summary

  • ****************************************************************
    USERS AFFECTED:
    This issue affects users of MQ v7.1 and 7.5 who are establishing
    a TLS 1.2 channel connection to an endpoint other than another
    MQ queue manager.
    
    This has been seen with an MQLINK SIB Receiver channel on WAS,
    where the SIB application acts as an MQ RCVR channel.
    
    Connections from an MQ queue manager via TLS proxies which are
    non-transparent may also be impacted, depending on the proxy
    implementation's response to the absence of the TLS 1.2
    signature algorithms extension.
    
    
    Platforms affected:
    MultiPlatform
    
    ****************************************************************
    PROBLEM DESCRIPTION:
    When an MQ Queue Manager established an outbound TLS 1.2
    connection, it omitted to send the signature algorithms
    extension as described in RFC 5246.
    
    This extension may be used by the receiving end of the TLS 1.2
    to determine the certificate to send in response. Where another
    MQ queue manager was the receiving end of the connection, this
    omission had no impact, as certificate configured for the queue
    manager (or channel) would be returned regardless.
    
    In the failing case, the SIB application chose not to offer a
    SHA-2 signed signature to the initiating side of the connection,
    due to the omission of the signature algorithms extension. This
    caused the connection to fail.
    

Problem conclusion

  • The MQ queue manager outbound channel logic has been updated to
    set the signature algorithms extension for outbound TLS 1.2
    connections.
    
    ---------------------------------------------------------------
    The fix is targeted for delivery in the following PTFs:
    
    Version    Maintenance Level
    v7.1       7.1.0.9
    v7.5       7.5.0.8
    
    The latest available maintenance can be obtained from
    'WebSphere MQ Recommended Fixes'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006037
    
    If the maintenance level is not yet available information on
    its planned availability can be found in 'WebSphere MQ
    Planned Maintenance Release Dates'
    http://www-1.ibm.com/support/docview.wss?rs=171&uid=swg27006309
    ---------------------------------------------------------------
    

Temporary fix

Comments

APAR Information

  • APAR number

    IV93261

  • Reported component name

    WMQ LIN X86 V7

  • Reported component ID

    5724H7224

  • Reported release

    710

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2017-02-09

  • Closed date

    2017-02-28

  • Last modified date

    2017-02-28

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    WMQ LIN X86 V7

  • Fixed component ID

    5724H7224

Applicable component levels

[{"Line of Business":{"code":"LOB36","label":"IBM Automation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Product":{"code":"SSFKSJ","label":"WebSphere MQ"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"7.1"}]

Document Information

Modified date:
08 March 2021